DevHeads.net

VPN suggestions centos 6, 7

Folks

I would like to have my windows 7 laptop communicate with my home
server via a VPN, in such a way that it appears to be "inside" my
home network. It should not only let me appear to be at home for any
external query, but also let me access my computers inside my home.

I already have this working using M$'s PPTP using my home Centos 6
gateway/router as the PoPToP server. However, I am concerned about
the privacy/security of such a connection.

I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan
(and probably others I haven't noted). I'd be interested in hearing
from anyone who wishes to comment about which to use, with the
following requirements:

1) As noted, it should be secure (anti NSA?)
2) Works on Centos 6 and Centos 7 and Windows 7 (and for the future,
Windows 10)
3) Can be set up on the server with command line interfaces only (no GUI)

And, should not be a nightmare to set up.

Any thoughts?

David

Comments

Re: VPN suggestions centos 6, 7

By nux at 04/05/2016 - 13:16

Have a look at Openconnect Server (ocserv), it's a free implementation of Cisco AnyConnect.

It's the easiest VPN I ever had to setup and it's compatible with most Cisco AnyConnect clients and of course OpenConnect clients (such as NetworkManager-openconnect).

<a href="http://www.infradead.org/ocserv/" title="http://www.infradead.org/ocserv/">http://www.infradead.org/ocserv/</a>

hth

Re: VPN suggestions centos 6, 7

By Lamar Owen at 04/05/2016 - 13:13

On 04/05/2016 12:30 PM, Gordon Messmer wrote:
I did have numerous issues with the road warrior cases with the IPSec
solution, many of which were firewall/captive portal issues and not
issues with the otherwise excellent SmoothTunnel. I will admit that I
have not tried an IPsec solution in a while, but I haven't had the need
to do so, either.

OpenVPN AS takes all the hard parts out of the server-side config, and
it works well on CentOS 7 (which is the platform on which I am running
the server). For point-to-point remote offices, I deploy small routers
running DD-WRT, which has a reasonable OpenVPN client that works well
once you get it working initially. It isn't necessarily the easiest to
get working, though.

Re: VPN suggestions centos 6, 7

By Alexander Dalloz at 04/04/2016 - 16:28

Am 04.04.2016 um 19:57 schrieb david:

<a href="https://www.tinc-vpn.org/" title="https://www.tinc-vpn.org/">https://www.tinc-vpn.org/</a>

Alexander

Re: VPN suggestions centos 6, 7

By Gordon Messmer at 04/04/2016 - 16:18

On 04/04/2016 10:57 AM, david wrote:
I recommend l2tp/ipsec. It's supported out of the box on a wide variety
of client platforms, which means significantly less work to set up the
clients.

OpenVPN is a popular choice, and it's fine for most people. It's more
work to set up than l2tp/ipsec, typically. We used it for quite a while
at my previous employer, though ultimately dropped it because the
Windows GUI requires admin rights to run, and we didn't want to continue
giving admin rights to the users we supported.

Re: VPN suggestions centos 6, 7

By Eero Volotinen at 04/05/2016 - 03:07

IPSec is not recommended solution nowdays. OpenVPN runs top of single udp
or tcp port, so it usually works on strictly firewalled places like in
hotels and so on.

Re: VPN suggestions centos 6, 7

By Gordon Messmer at 04/05/2016 - 12:30

On 04/05/2016 12:07 AM, Eero Volotinen wrote:
IPSec is typically encapsulated on UDP port 4500, due to the ubiquity of
NAT. OpenVPN doesn't really have an advantage, there.

Re: VPN suggestions centos 6, 7

By Eero Volotinen at 04/05/2016 - 12:36

Yes, openvpn works on any single udp or tcp port.

On many hotels only http, https and dns allowed. So you just can't use
ipsec, but openvpn works as it's usually configured to listen https port.

Re: VPN suggestions centos 6, 7

By Dennis J. at 04/05/2016 - 11:52

How is IPSec "not recommended solution nowdays"?

I tend to use IPSec for site-to-site connections i.e. the ones that run
24/7 and only require two experienced people to set up (the admins at
both endpoints).
For host-to-site setups I prefer OpenVPN since explaining to endusers
how to set up an ipsec connection is neigh impossible whereas with
OpenVPN I can simply tell them to install the software and then unzip an
archive into a directory and they are done.

Regards,
Dennis

On 05.04.2016 09:07, Eero Volotinen wrote:

Re: VPN suggestions centos 6, 7

By Gordon Messmer at 04/05/2016 - 12:36

On 04/05/2016 08:52 AM, Dennis Jacobfeuerborn wrote:
So, send them a powershell script:

Add-VpnConnection -Name "My VPN" -ServerAddress "vpn.example.com"
-AuthenticationMethod PAP -TunnelType L2TP -L2tpPsk
"whyareyouusingapsk?" -AllUserConnection -Force -RememberCredential
-PassThru -SplitTunneling

Re: VPN suggestions centos 6, 7

By Eero Volotinen at 04/05/2016 - 11:57

Well. IPSec might work with site-to-site connections, but usually
roadwarrior mode users experience (a lot of) problems.

They might be related to hotels that only allow https, http and dns
protocols or broken nat implementations and so on.

Re: VPN suggestions centos 6, 7

By Francis Mendoza at 04/05/2016 - 06:46

OpenVPN is the best opensource VPN for me it can connect to any connection
such as airport, hotel, restaurant, resorts, malls it never let me down.
And configuration is easy on those who have idea on what they want to
achieve.

Re: VPN suggestions centos 6, 7

By Leon Fauster at 04/05/2016 - 08:10

Am 05.04.2016 um 12:46 schrieb Francis Mendoza < ... at mytechrepublic dot com>:
"easy" is qualitative - PKI is the core of an OpenVPN infrastructure and not trivial anyway.
As some one stated before privacy/security is complex everything else is a product.

IMHO: IPSec-VPN is a bit more complex then a SSL-VPN like OpenVPN.

I even sometimes use an SSL-VPN connection over an IPSec-VPN.

Re: VPN suggestions centos 6, 7

By Paul Heinlein at 04/04/2016 - 16:08

OpenVPN can be all that. I say "can be" because you'll want to
research how best to configure it. Done poorly, it won't be as secure
as you want. Thankfully, there are a lot of blog posts and list
threads to consult; it won't take more than a couple hours of reading
to work out the base configuration.

This might be a problem. :-)

OpenVPN is designed to scale pretty well, but scaling it requires a
decent knowledge of SSL infrastructure: creating, distributing, and
revoking certificates. The Easy-RSA utility can ease the process, but
using it securely takes time and reading.

A very small OpenVPN setup can be done with shared static key, but
that approach has its own disadvantages (no PFS, all keys in plain
text, no distribution mechanism).

In short, OpenVPN is an excellent toolset that can be made very secure
-- and will manage much of the complexity for you -- but it requires a
non-trivial amount of effort to configure correctly.

To paraphrase The Princess Bride: Security is pain. Anyone who says
differently is selling something.

Re: VPN suggestions centos 6, 7

By Jussi Hirvi at 04/04/2016 - 15:08

My partner has been using Openvpn extensively. It looks very reasonable
and has been quite trustworthy.

It is configured via commandline. The server seems to work on Windows,
too ("Vista and later"). There are good tutorials for CentOs, for example

<a href="https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-7" title="https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-7">https://www.digitalocean.com/community/tutorials/how-to-setup-and-config...</a>

- Jussi

On 4.4.2016 20.57, david wrote:
(...)

Re: VPN suggestions centos 6, 7

By Richard Zimmerman at 04/04/2016 - 14:54

SoftEther VPN

Once setup, it just works....

Regards,

Richard

Folks

I would like to have my windows 7 laptop communicate with my home server via a VPN, in such a way that it appears to be "inside" my home network. It should not only let me appear to be at home for any external query, but also let me access my computers inside my home.

I already have this working using M$'s PPTP using my home Centos 6 gateway/router as the PoPToP server. However, I am concerned about the privacy/security of such a connection.

I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan (and probably others I haven't noted). I'd be interested in hearing from anyone who wishes to comment about which to use, with the following requirements:

1) As noted, it should be secure (anti NSA?)
2) Works on Centos 6 and Centos 7 and Windows 7 (and for the future, Windows 10)
3) Can be set up on the server with command line interfaces only (no GUI)

And, should not be a nightmare to set up.

Any thoughts?

David

Re: VPN suggestions centos 6, 7

By David at 04/18/2016 - 10:33

I had lots of suggestions, and the most persuasive was to try
OpenVPN. I already had a CA working, so issuing certificates was
easy. The HOW-TO guides were less helpful than I could hope, but
comparing several of them, applying common sense, and trying things
out, I arrived at a dead-end. Here's essentially what happened:

- None of the HOW-TOs were very clear about the need to add some
attributes to a certificate, keyUsage and extendedKeyUsage. They had
different values for server and client. OpenSSL documentation was a
big vague on how to add them, but I think I did - the print out of
the entity certificates showed the values. The attempt to connect
failed. The client log is below. I think it's complaining that the
CA certificate doesn't have the ke Usage extension, which makes no
sense to me. Such an extension should be in the end-entity
certificate, not the CA's, unless I'm wrong. I checked the server
and really think that the certificates are in the right place.

To review the situation:
Client: A windows 7 laptop, and it definitely moves around.
Server: Centos 6 running in my home.
Protocol is TCP

Client log, some details replace with XXXXX

Re: VPN suggestions centos 6, 7

By Paul Heinlein at 04/18/2016 - 12:09

Here's how I managed that in my openssl.cnf file. Lots of bits ellided
for clarity's sake:

### start ###
[ ca ]
default_ca = CA_default

[ CA_default ]
x509_extensions = server_cert

[ server_cert ]
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, dataEncipherment, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
nsCertType = server, client
### end ###

I think the nsCertType directive may be unnecessary these days, but I
keep it around because it doesn't hurt anything.

The important bit is the extendedKeyUsage line; I'm pretty sure that
an OpenVPN server needs the serverAuth extension. For instance, here
is the X509 extensions configuration for a server used by EasyRSA:

basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = serverAuth,clientAuth
keyUsage = digitalSignature,keyEncipherment

You can ask openssl to tell you the purpose of a certificate:

[bash]$ openssl x509 -noout -purpose -in cert.pem | grep SSL
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No

Anyway, those are the extensions that should do away with these
errors:

Re: VPN suggestions centos 6, 7

By David at 04/19/2016 - 05:03

At 09:09 AM 4/18/2016, you wrote:

Paul
Two things...
First, the diagnostic I got referenced the server's CA
certificate. And that confuses me.

Second, when I look server's purpose, using the openssl x509 -purpose
command, I get:

SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No

When looking at the CLIENT's purpose, I get

SSL client : Yes
SSL client CA : No
SSL server : No
SSL server CA : No
Netscape SSL server : No
Netscape SSL server CA : No

The difference between what I have and what you reported is that I've
got SSL Client NO on the server, and SSL server NO on the client,
which makes sense to me.
The CA certificate itself, says:

Certificate purposes:
SSL client : Yes
SSL client CA : Yes
SSL server : Yes
SSL server CA : Yes
Netscape SSL server : Yes
Netscape SSL server CA : Yes
S/MIME signing : Yes
S/MIME signing CA : Yes
S/MIME encryption : Yes
S/MIME encryption CA : Yes
CRL signing : Yes
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
Time Stamp signing : No
Time Stamp signing CA : Yes

Advice would be appreciated.

David

Re: VPN suggestions centos 6, 7

By Paul Heinlein at 04/19/2016 - 11:57

I'm not sure that's actually what the log is indicating. I think
there's a mismatch between what extensions the server certificate says
it can provide and what the client is expecting.

Can you provide the SSL/TLS parts of your client configuration?

In particular, I expect you'll have a "remote-cert-tls server"
directive. I'd suggest commenting that out (or replacing it with
"ns-cert-type server") and trying again.

If that succeeds, you'll probably need to review your CA
configuration.

Re: VPN suggestions centos 6, 7

By David at 04/19/2016 - 15:06

At 08:57 AM 4/19/2016, you wrote:
Paul
I'm not sure what you mean by the SSL/TLS parts of client
configuration. Here's what I have for openvpn
Configuration files... comment lines removed

The client file at
c:\program files\OpenVPN\config\client.opvn
The Server file at
/etc/openvpn/openvpn-server.conf
David

Re: VPN suggestions centos 6, 7

By Eero Volotinen at 04/04/2016 - 15:01

And openvpn. Avoid ipsec as it's too complex and pptp is unsecure.

Eero
4.4.2016 9.55 ip. "Richard Zimmerman" < ... at riverbendhose dot com>
kirjoitti:

Re: VPN suggestions centos 6, 7

By Jussi Hirvi at 04/04/2016 - 15:11

On 4.4.2016 22.01, Eero Volotinen wrote:
This made me google around a little, and I found some good info here.
They, too, kind of recommend openvpn.

<a href="http://www.howtogeek.com/211329/which-is-the-best-vpn-protocol-pptp-vs.-openvpn-vs.-l2tpipsec-vs.-sstp/" title="http://www.howtogeek.com/211329/which-is-the-best-vpn-protocol-pptp-vs.-openvpn-vs.-l2tpipsec-vs.-sstp/">http://www.howtogeek.com/211329/which-is-the-best-vpn-protocol-pptp-vs.-...</a>

- Jussi

Re: VPN suggestions centos 6, 7

By Gordon Messmer at 04/04/2016 - 16:46

On 04/04/2016 12:11 PM, Jussi Hirvi wrote:
This is not good information.

In brief:

"There are some concerns that the NSA could have weakened the standard,
but no one knows for sure."
Pure FUD. There is no reason to believe this as related to IPSec that
does not apply to other protocols as well. There is, therefore, no
reason to write that other than bias.

"Either way, this is a slower solution than OpenVPN. ... It’s a two-step
process."
OpenVPN tunnels traffic through a user space process, just like
l2tp/ipsec does, and in my experience offers no better performance. If
throughput is your main concern, use IPsec without l2tp.

"because it can be configured to use AES encryption, is arguably more
trustworthy than L2TP/IPsec."
IPSec can also use AES as a cipher and provide PFS, for that matter.

Re: VPN suggestions centos 6, 7

By Waleed Harbi at 04/04/2016 - 16:50

SoftEther VPN all-in-one solution and cross platform.